Companies planning to use vaccine credentials to reopen offices will face a new challenge that will require an all-teams-on-deck approach -- how to manage vaccination data.
That's according to Heidi Shey, principal analyst at Forrester Research and co-author of the report "The opportunity, the unknowns, and the risks of vaccine passports in the workplace," which was published in late March.
"If they haven't already, it needs to be almost like a committee they have internally for these types of discussions," Shey said. "IT, security, HR, privacy, legal, risk -- everybody needs to be at that table."
Vaccine credentials, sometimes called vaccine passports, enable a person to prove they've been vaccinated against COVID-19 and are growing in popularity. The Biden administration recently announced it was working with the private sector to develop standards for vaccine credentials in an effort to return life, including office life, to normal. But the tools can also pose problems for the enterprise.
Companies interested in using vaccine passports to reopen offices should get started on preparing policies that address concerns about employee privacy when it comes to vaccination data and liability. For IT teams in particular, it will be a time to implement privacy and security controls for sensitive vaccine data.
COVID-19 vaccine data
The private sector, which the White House recently said will drive the creation of COVID-19 vaccine passports, is already developing an array of options from a driver's license-like card to digital apps that can live on smartphones.
The IBM-Salesforce Digital Health Pass, built on blockchain technology, enables organizations to verify a person's health credentials digitally, while the Vaccine Credential Initiative, which includes efforts from Microsoft, the Mayo Clinic and Oracle, as well as EHR vendors Cerner and Epic, aims to give users digital access to their vaccination records.
With the many vaccine passport options an employer could potentially choose from, Shey said it's important for an organization to first craft a policy that touches on what information it will need from an employee.
Vaccination data is health information, meaning there are privacy and regulatory requirements to consider. One of the decisions an organization could make is to use the least amount of data possible from a vaccine passport to verify a person's vaccination status.
"They might not need all the details that you could get within the vaccine passport for returning to workplace purposes," Shey said. "It could be a yes-or-no binary thing -- yes you have been vaccinated or no you have not."
Once organizations figure out what data they'd like to collect, they'll also need to think about how to store and secure it, Shey said.
Companies interested in vaccine verification should form committees to discuss how sensitive data will be handled.
Alla Valente, senior analyst at Forrester and a co-author of the Forrester report on vaccine passports in the workplace, said organizations that provided flu vaccinations through their health and wellness programs already have collection and storage processes in place for managing sensitive data -- processes they may be able to reuse for COVID-19 vaccine data.
Companies will also need to prepare for the unknowns around this new vaccine. Vaccine efficacy is still unclear, meaning vaccine developers don't know if getting the initial doses will prevent the disease entirely or if routine doses will be needed.
"So, would [employers] constantly be getting new data that they have to add to that employee's records, or is it a binary yes or no -- this individual has had the vaccine or not," Valente said. "There are still so many unknowns with even the volume and the scale of the data they might have to collect."
If COVID-19 vaccination data is something an organization collects and holds onto, Shey said it will be critical that IT teams implement policies and controls around access to that data, as well as planning for the lifecycle of the data.
"That's why that whole policy aspect is still super important, as well as being able to communicate with employees about how they're handling this information, how long it will be kept for, what do they do with this information -- so it's transparent to people," Shey said.
Repurposing COVID-19 tracing tech
Shey said IT executives who implemented COVID-19 contact tracing programs may have a head start on handling vaccination data.
Contact tracing programs required IT teams to consider data privacy concerns, including location tracking and employee exposure notifications, and establish policies, according to Shey. They'll face similar issues with vaccine passports -- but contact tracing policies and technology investments could help, Shey said.
For example, Everbridge, a critical event management platform provider, launched new products and services to assist with contact tracing efforts. Everbridge's platform orchestrates an organization's crisis communications, teams and resources, and Shey believes organizations could also rely on the company's crisis management workflow for vaccination requirements.
For as long as they have the data, they need to make third-party security front and center.
Alla ValenteSenior analyst, Forrester
"I think they might also have something here that could support the vaccine passport piece as well," she said. "They can integrate into the other pieces of information that the organization would already be able to see about their workforce, whether it's people badging into the office or employee analytics of sorts that they can triangulate."
Working with a third-party organization like Everbridge, however, creates challenges of its own. If a company like Everbridge will be handling vaccination data, IT and security teams would need to be vigilant when managing third-party risk, according to Valente.
Organizations already know that third parties add additional risk to their enterprise security, but it's not always something that's evaluated continuously during the relationship.
"It's typically more like, 'We want to bring in this new technology, but make sure we dot our i's and cross our t's so we can work with that,'" she said. "Any type of ongoing security assessment or risk assessment sort of falls by the wayside."
Valente said when IT professionals handle employees' sensitive, personally identifiable information, they'll have to ensure risk management is done on an ongoing basis.
"For as long as they have the data, they need to make third-party security front and center," Valente said.
Makenzie Holland is a news writer covering big tech and federal regulation. Prior to joining TechTarget, she was a general reporter for the Wilmington Star-News and a crime and education reporter at the Wabash Plain Dealer.
